From the release notes:
• On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
This version has been in tree since July, so maybe time to stable?
Please cleanup, thanks!
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202012-17 at https://security.gentoo.org/glsa/202012-17
by GLSA coordinator Thomas Deutschmann (whissi).